CVE-2017-18349

CRITICAL EXPLOITED NUCLEI

Fastjson Insecure Deserialization - Remote Code Execution

Title source: nuclei

Description

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

Exploits (1)

nomisec WORKING POC 2 stars

by h0cksr · poc

https://github.com/h0cksr/Fastjson--CVE-2017-18349-

View Code ZIP pw:eip

Nuclei Templates (1)

Fastjson Insecure Deserialization - Remote Code Execution

CRITICALVERIFIEDby night

References (3)

[Mitigation, Third Party Advisory] https://fortiguard.com/encyclopedia/ips/44059

[Mitigation, Third Party Advisory] https://github.com/alibaba/fastjson/wiki/security_update_20170315

[Exploit, Third Party Advisory] https://github.com/pippo-java/pippo/issues/466

Scores

CVSS v3 9.8

EPSS 0.8890

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-01-22

CWE

CWE-20

Status published

Products (4)

alibaba/fastjson < 1.2.25

com.alibaba/fastjson 0 - 1.2.31Maven

pippo/pippo 1.11.0

ro.pippo/pippo-fastjson 0 - 1.12.0Maven

Published Oct 23, 2018

Tracked Since Feb 18, 2026